U.S. Department of Justice Office of Justice Programs National Institute of Justice Special REPORT Test Results for Digital Data Acquisition Tool: Tableau TD1 Forensic Duplicator; Firmware Version 2.34 Feb 17, 2011 DEC. 2011 Office of Justice Programs Innovation • Partnerships • Safer Neighborhoods www.ojp.usdoj.gov nij.gov
60
Embed
Test Results for Digital Data Acquisition Tool: Tableau ...DEC. 2011 Test Results for Digital Data Acquisition Tool: Tableau TD1 Forensic Duplicator; Firmware Version 2.34 Feb 17,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
US Department of Justice Office of Justice Programs National Institute of Justice
Special RepoRt
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
DE
C 2
011
Office of Justice Programs Innovation bull Partnerships bull Safer Neighborhoods
wwwojpusdojgov
nijgov
US Department of Justice Office of Justice Programs
810 Seventh Street NW
Washington DC 20531
Eric H Holder Jr Attorney General
Laurie O Robinson Assistant Attorney General
John H Laub Director National Institute of Justice
This and other publications and products of the National Institute
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
NCJ 236223
John Laub
Director National Institute of Justice
This report was prepared for the National Institute of Justice US Department of Justice by the Office of Law Enforcement Standards of the National Institute of Standards and Technology under Interagency Agreement 2003ndashIJndashRndash029
The National Institute of Justice is a component of the Office of Justice Programs which also includes the Bureau of Justice Assistance the Bureau of Justice Statistics the Office of Juvenile Justice and Delinquency Prevention and the Office for Victims of Crime
July 2011
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
Contents
Introduction1 How to Read This Report 1 1 Results Summary 3 2 Test Case Selection 4 3 Results by Test Assertion5
July 2011tableau_td1_nij 72811_KE edit 1024doc ii Tableau T
Introduction
The Computer Forensics Tool Testing (CFTT) program is a joint project of the National Institute of Justice (NIJ) the Department of Homeland Security (DHS) and the National Institute of Standards and Technologyrsquos Law Enforcement Standards Office and Information Technology Laboratory CFTT is supported by other organizations including the Federal Bureau of Investigation the US Department of Defense Cyber Crime Center the US Internal Revenue Service Criminal Investigation Division Electronic Crimes Program and the US Department of Homeland Securityrsquos Bureau of Immigration and Customs Enforcement US Customs and Border Protection and US Secret Service The objective of the CFTT program is to provide measurable assurance to practitioners researchers and other applicable users that the tools used in computer forensics investigations provide accurate results Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications
Test results provide the information necessary for developers to improve tools users to make informed choices and the legal community and others to understand the toolsrsquo capabilities The CFTT approach to testing computer forensic tools is based on well-recognized methodologies for conformance and quality testing The specifications and test methods are posted on the CFTT Web site (httpwwwcfttnistgov) for review and comment by the computer forensics community
This document reports the results from testing the Tableau TD1 Forensic Duplicator firmware version 234 Feb 17 2011 against the Digital Data Acquisition Tool Assertions and Test Plan Version 10 available at the CFTT Web site (httpwwwcfttnistgovDA-ATP-pc-01pdf)
Test results from other tools and the CFTT tool methodology can be found on NIJrsquos CFTT Web page httpwwwnijgovnijtopicsforensicsevidencedigitalstandardscftthtm
How to Read This Report This report is divided into five sections The first section is a summary of the results from the test runs and is sufficient for most readers to assess the suitability of the tool for the intended use The remaining sections of the report describe how the tests were conducted discuss any anomalies that were encountered and provide documentation of test case run details that support the report summary Section 2 gives justification for the selection of test cases from the set of possible cases defined in the test plan for Digital Data Acquisition tools The test cases are selected in general based on features offered by the tool Section 3 describes in more depth any anomalies summarized in the first section Section 4 lists hardware and software used to run the test cases with links to additional information about the items used Section 5 contains a description of each test case run
that lists all test assertions used in the test case the expected result and the actual result Please refer to the vendorrsquos owner manual for guidance on using the tool
July 2011 2 of 53 Tableau TD1 Forensic Duplicator
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
US Department of Justice Office of Justice Programs
810 Seventh Street NW
Washington DC 20531
Eric H Holder Jr Attorney General
Laurie O Robinson Assistant Attorney General
John H Laub Director National Institute of Justice
This and other publications and products of the National Institute
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
NCJ 236223
John Laub
Director National Institute of Justice
This report was prepared for the National Institute of Justice US Department of Justice by the Office of Law Enforcement Standards of the National Institute of Standards and Technology under Interagency Agreement 2003ndashIJndashRndash029
The National Institute of Justice is a component of the Office of Justice Programs which also includes the Bureau of Justice Assistance the Bureau of Justice Statistics the Office of Juvenile Justice and Delinquency Prevention and the Office for Victims of Crime
July 2011
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
Contents
Introduction1 How to Read This Report 1 1 Results Summary 3 2 Test Case Selection 4 3 Results by Test Assertion5
July 2011tableau_td1_nij 72811_KE edit 1024doc ii Tableau T
Introduction
The Computer Forensics Tool Testing (CFTT) program is a joint project of the National Institute of Justice (NIJ) the Department of Homeland Security (DHS) and the National Institute of Standards and Technologyrsquos Law Enforcement Standards Office and Information Technology Laboratory CFTT is supported by other organizations including the Federal Bureau of Investigation the US Department of Defense Cyber Crime Center the US Internal Revenue Service Criminal Investigation Division Electronic Crimes Program and the US Department of Homeland Securityrsquos Bureau of Immigration and Customs Enforcement US Customs and Border Protection and US Secret Service The objective of the CFTT program is to provide measurable assurance to practitioners researchers and other applicable users that the tools used in computer forensics investigations provide accurate results Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications
Test results provide the information necessary for developers to improve tools users to make informed choices and the legal community and others to understand the toolsrsquo capabilities The CFTT approach to testing computer forensic tools is based on well-recognized methodologies for conformance and quality testing The specifications and test methods are posted on the CFTT Web site (httpwwwcfttnistgov) for review and comment by the computer forensics community
This document reports the results from testing the Tableau TD1 Forensic Duplicator firmware version 234 Feb 17 2011 against the Digital Data Acquisition Tool Assertions and Test Plan Version 10 available at the CFTT Web site (httpwwwcfttnistgovDA-ATP-pc-01pdf)
Test results from other tools and the CFTT tool methodology can be found on NIJrsquos CFTT Web page httpwwwnijgovnijtopicsforensicsevidencedigitalstandardscftthtm
How to Read This Report This report is divided into five sections The first section is a summary of the results from the test runs and is sufficient for most readers to assess the suitability of the tool for the intended use The remaining sections of the report describe how the tests were conducted discuss any anomalies that were encountered and provide documentation of test case run details that support the report summary Section 2 gives justification for the selection of test cases from the set of possible cases defined in the test plan for Digital Data Acquisition tools The test cases are selected in general based on features offered by the tool Section 3 describes in more depth any anomalies summarized in the first section Section 4 lists hardware and software used to run the test cases with links to additional information about the items used Section 5 contains a description of each test case run
that lists all test assertions used in the test case the expected result and the actual result Please refer to the vendorrsquos owner manual for guidance on using the tool
July 2011 2 of 53 Tableau TD1 Forensic Duplicator
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
DEC 2011
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
NCJ 236223
John Laub
Director National Institute of Justice
This report was prepared for the National Institute of Justice US Department of Justice by the Office of Law Enforcement Standards of the National Institute of Standards and Technology under Interagency Agreement 2003ndashIJndashRndash029
The National Institute of Justice is a component of the Office of Justice Programs which also includes the Bureau of Justice Assistance the Bureau of Justice Statistics the Office of Juvenile Justice and Delinquency Prevention and the Office for Victims of Crime
July 2011
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
Contents
Introduction1 How to Read This Report 1 1 Results Summary 3 2 Test Case Selection 4 3 Results by Test Assertion5
July 2011tableau_td1_nij 72811_KE edit 1024doc ii Tableau T
Introduction
The Computer Forensics Tool Testing (CFTT) program is a joint project of the National Institute of Justice (NIJ) the Department of Homeland Security (DHS) and the National Institute of Standards and Technologyrsquos Law Enforcement Standards Office and Information Technology Laboratory CFTT is supported by other organizations including the Federal Bureau of Investigation the US Department of Defense Cyber Crime Center the US Internal Revenue Service Criminal Investigation Division Electronic Crimes Program and the US Department of Homeland Securityrsquos Bureau of Immigration and Customs Enforcement US Customs and Border Protection and US Secret Service The objective of the CFTT program is to provide measurable assurance to practitioners researchers and other applicable users that the tools used in computer forensics investigations provide accurate results Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications
Test results provide the information necessary for developers to improve tools users to make informed choices and the legal community and others to understand the toolsrsquo capabilities The CFTT approach to testing computer forensic tools is based on well-recognized methodologies for conformance and quality testing The specifications and test methods are posted on the CFTT Web site (httpwwwcfttnistgov) for review and comment by the computer forensics community
This document reports the results from testing the Tableau TD1 Forensic Duplicator firmware version 234 Feb 17 2011 against the Digital Data Acquisition Tool Assertions and Test Plan Version 10 available at the CFTT Web site (httpwwwcfttnistgovDA-ATP-pc-01pdf)
Test results from other tools and the CFTT tool methodology can be found on NIJrsquos CFTT Web page httpwwwnijgovnijtopicsforensicsevidencedigitalstandardscftthtm
How to Read This Report This report is divided into five sections The first section is a summary of the results from the test runs and is sufficient for most readers to assess the suitability of the tool for the intended use The remaining sections of the report describe how the tests were conducted discuss any anomalies that were encountered and provide documentation of test case run details that support the report summary Section 2 gives justification for the selection of test cases from the set of possible cases defined in the test plan for Digital Data Acquisition tools The test cases are selected in general based on features offered by the tool Section 3 describes in more depth any anomalies summarized in the first section Section 4 lists hardware and software used to run the test cases with links to additional information about the items used Section 5 contains a description of each test case run
that lists all test assertions used in the test case the expected result and the actual result Please refer to the vendorrsquos owner manual for guidance on using the tool
July 2011 2 of 53 Tableau TD1 Forensic Duplicator
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
John Laub
Director National Institute of Justice
This report was prepared for the National Institute of Justice US Department of Justice by the Office of Law Enforcement Standards of the National Institute of Standards and Technology under Interagency Agreement 2003ndashIJndashRndash029
The National Institute of Justice is a component of the Office of Justice Programs which also includes the Bureau of Justice Assistance the Bureau of Justice Statistics the Office of Juvenile Justice and Delinquency Prevention and the Office for Victims of Crime
July 2011
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
Contents
Introduction1 How to Read This Report 1 1 Results Summary 3 2 Test Case Selection 4 3 Results by Test Assertion5
July 2011tableau_td1_nij 72811_KE edit 1024doc ii Tableau T
Introduction
The Computer Forensics Tool Testing (CFTT) program is a joint project of the National Institute of Justice (NIJ) the Department of Homeland Security (DHS) and the National Institute of Standards and Technologyrsquos Law Enforcement Standards Office and Information Technology Laboratory CFTT is supported by other organizations including the Federal Bureau of Investigation the US Department of Defense Cyber Crime Center the US Internal Revenue Service Criminal Investigation Division Electronic Crimes Program and the US Department of Homeland Securityrsquos Bureau of Immigration and Customs Enforcement US Customs and Border Protection and US Secret Service The objective of the CFTT program is to provide measurable assurance to practitioners researchers and other applicable users that the tools used in computer forensics investigations provide accurate results Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications
Test results provide the information necessary for developers to improve tools users to make informed choices and the legal community and others to understand the toolsrsquo capabilities The CFTT approach to testing computer forensic tools is based on well-recognized methodologies for conformance and quality testing The specifications and test methods are posted on the CFTT Web site (httpwwwcfttnistgov) for review and comment by the computer forensics community
This document reports the results from testing the Tableau TD1 Forensic Duplicator firmware version 234 Feb 17 2011 against the Digital Data Acquisition Tool Assertions and Test Plan Version 10 available at the CFTT Web site (httpwwwcfttnistgovDA-ATP-pc-01pdf)
Test results from other tools and the CFTT tool methodology can be found on NIJrsquos CFTT Web page httpwwwnijgovnijtopicsforensicsevidencedigitalstandardscftthtm
How to Read This Report This report is divided into five sections The first section is a summary of the results from the test runs and is sufficient for most readers to assess the suitability of the tool for the intended use The remaining sections of the report describe how the tests were conducted discuss any anomalies that were encountered and provide documentation of test case run details that support the report summary Section 2 gives justification for the selection of test cases from the set of possible cases defined in the test plan for Digital Data Acquisition tools The test cases are selected in general based on features offered by the tool Section 3 describes in more depth any anomalies summarized in the first section Section 4 lists hardware and software used to run the test cases with links to additional information about the items used Section 5 contains a description of each test case run
that lists all test assertions used in the test case the expected result and the actual result Please refer to the vendorrsquos owner manual for guidance on using the tool
July 2011 2 of 53 Tableau TD1 Forensic Duplicator
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
July 2011
Test Results for Digital Data Acquisition Tool Tableau TD1 Forensic Duplicator Firmware Version 234 Feb 17 2011
Contents
Introduction1 How to Read This Report 1 1 Results Summary 3 2 Test Case Selection 4 3 Results by Test Assertion5
July 2011tableau_td1_nij 72811_KE edit 1024doc ii Tableau T
Introduction
The Computer Forensics Tool Testing (CFTT) program is a joint project of the National Institute of Justice (NIJ) the Department of Homeland Security (DHS) and the National Institute of Standards and Technologyrsquos Law Enforcement Standards Office and Information Technology Laboratory CFTT is supported by other organizations including the Federal Bureau of Investigation the US Department of Defense Cyber Crime Center the US Internal Revenue Service Criminal Investigation Division Electronic Crimes Program and the US Department of Homeland Securityrsquos Bureau of Immigration and Customs Enforcement US Customs and Border Protection and US Secret Service The objective of the CFTT program is to provide measurable assurance to practitioners researchers and other applicable users that the tools used in computer forensics investigations provide accurate results Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications
Test results provide the information necessary for developers to improve tools users to make informed choices and the legal community and others to understand the toolsrsquo capabilities The CFTT approach to testing computer forensic tools is based on well-recognized methodologies for conformance and quality testing The specifications and test methods are posted on the CFTT Web site (httpwwwcfttnistgov) for review and comment by the computer forensics community
This document reports the results from testing the Tableau TD1 Forensic Duplicator firmware version 234 Feb 17 2011 against the Digital Data Acquisition Tool Assertions and Test Plan Version 10 available at the CFTT Web site (httpwwwcfttnistgovDA-ATP-pc-01pdf)
Test results from other tools and the CFTT tool methodology can be found on NIJrsquos CFTT Web page httpwwwnijgovnijtopicsforensicsevidencedigitalstandardscftthtm
How to Read This Report This report is divided into five sections The first section is a summary of the results from the test runs and is sufficient for most readers to assess the suitability of the tool for the intended use The remaining sections of the report describe how the tests were conducted discuss any anomalies that were encountered and provide documentation of test case run details that support the report summary Section 2 gives justification for the selection of test cases from the set of possible cases defined in the test plan for Digital Data Acquisition tools The test cases are selected in general based on features offered by the tool Section 3 describes in more depth any anomalies summarized in the first section Section 4 lists hardware and software used to run the test cases with links to additional information about the items used Section 5 contains a description of each test case run
that lists all test assertions used in the test case the expected result and the actual result Please refer to the vendorrsquos owner manual for guidance on using the tool
July 2011 2 of 53 Tableau TD1 Forensic Duplicator
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Contents
Introduction1 How to Read This Report 1 1 Results Summary 3 2 Test Case Selection 4 3 Results by Test Assertion5
July 2011tableau_td1_nij 72811_KE edit 1024doc ii Tableau T
Introduction
The Computer Forensics Tool Testing (CFTT) program is a joint project of the National Institute of Justice (NIJ) the Department of Homeland Security (DHS) and the National Institute of Standards and Technologyrsquos Law Enforcement Standards Office and Information Technology Laboratory CFTT is supported by other organizations including the Federal Bureau of Investigation the US Department of Defense Cyber Crime Center the US Internal Revenue Service Criminal Investigation Division Electronic Crimes Program and the US Department of Homeland Securityrsquos Bureau of Immigration and Customs Enforcement US Customs and Border Protection and US Secret Service The objective of the CFTT program is to provide measurable assurance to practitioners researchers and other applicable users that the tools used in computer forensics investigations provide accurate results Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications
Test results provide the information necessary for developers to improve tools users to make informed choices and the legal community and others to understand the toolsrsquo capabilities The CFTT approach to testing computer forensic tools is based on well-recognized methodologies for conformance and quality testing The specifications and test methods are posted on the CFTT Web site (httpwwwcfttnistgov) for review and comment by the computer forensics community
This document reports the results from testing the Tableau TD1 Forensic Duplicator firmware version 234 Feb 17 2011 against the Digital Data Acquisition Tool Assertions and Test Plan Version 10 available at the CFTT Web site (httpwwwcfttnistgovDA-ATP-pc-01pdf)
Test results from other tools and the CFTT tool methodology can be found on NIJrsquos CFTT Web page httpwwwnijgovnijtopicsforensicsevidencedigitalstandardscftthtm
How to Read This Report This report is divided into five sections The first section is a summary of the results from the test runs and is sufficient for most readers to assess the suitability of the tool for the intended use The remaining sections of the report describe how the tests were conducted discuss any anomalies that were encountered and provide documentation of test case run details that support the report summary Section 2 gives justification for the selection of test cases from the set of possible cases defined in the test plan for Digital Data Acquisition tools The test cases are selected in general based on features offered by the tool Section 3 describes in more depth any anomalies summarized in the first section Section 4 lists hardware and software used to run the test cases with links to additional information about the items used Section 5 contains a description of each test case run
that lists all test assertions used in the test case the expected result and the actual result Please refer to the vendorrsquos owner manual for guidance on using the tool
July 2011 2 of 53 Tableau TD1 Forensic Duplicator
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Introduction
The Computer Forensics Tool Testing (CFTT) program is a joint project of the National Institute of Justice (NIJ) the Department of Homeland Security (DHS) and the National Institute of Standards and Technologyrsquos Law Enforcement Standards Office and Information Technology Laboratory CFTT is supported by other organizations including the Federal Bureau of Investigation the US Department of Defense Cyber Crime Center the US Internal Revenue Service Criminal Investigation Division Electronic Crimes Program and the US Department of Homeland Securityrsquos Bureau of Immigration and Customs Enforcement US Customs and Border Protection and US Secret Service The objective of the CFTT program is to provide measurable assurance to practitioners researchers and other applicable users that the tools used in computer forensics investigations provide accurate results Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications
Test results provide the information necessary for developers to improve tools users to make informed choices and the legal community and others to understand the toolsrsquo capabilities The CFTT approach to testing computer forensic tools is based on well-recognized methodologies for conformance and quality testing The specifications and test methods are posted on the CFTT Web site (httpwwwcfttnistgov) for review and comment by the computer forensics community
This document reports the results from testing the Tableau TD1 Forensic Duplicator firmware version 234 Feb 17 2011 against the Digital Data Acquisition Tool Assertions and Test Plan Version 10 available at the CFTT Web site (httpwwwcfttnistgovDA-ATP-pc-01pdf)
Test results from other tools and the CFTT tool methodology can be found on NIJrsquos CFTT Web page httpwwwnijgovnijtopicsforensicsevidencedigitalstandardscftthtm
How to Read This Report This report is divided into five sections The first section is a summary of the results from the test runs and is sufficient for most readers to assess the suitability of the tool for the intended use The remaining sections of the report describe how the tests were conducted discuss any anomalies that were encountered and provide documentation of test case run details that support the report summary Section 2 gives justification for the selection of test cases from the set of possible cases defined in the test plan for Digital Data Acquisition tools The test cases are selected in general based on features offered by the tool Section 3 describes in more depth any anomalies summarized in the first section Section 4 lists hardware and software used to run the test cases with links to additional information about the items used Section 5 contains a description of each test case run
that lists all test assertions used in the test case the expected result and the actual result Please refer to the vendorrsquos owner manual for guidance on using the tool
July 2011 2 of 53 Tableau TD1 Forensic Duplicator
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
that lists all test assertions used in the test case the expected result and the actual result Please refer to the vendorrsquos owner manual for guidance on using the tool
July 2011 2 of 53 Tableau TD1 Forensic Duplicator
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Results for Digital Data Acquisition Tool Tool Tested TD1 Forensic Duplicator
Firmware Version 234 Feb 17 2011
Supplier Guidance Software Inc
Address W223 N608 Saratoga Drive Waukesha WI 53186
Tel (262) 522-7890 Fax (262) 522-7899
Email supporttableaucom WWW httpwwwtableaucom
1 Results Summary The tool acquired source drives completely and accurately with the exception of the following one case where a source drive containing faulty sectors was imaged and two cases where source drives containing hidden sectors were imaged In addition there were two cases where the tool generated bogus alert messages in place of alerting the user to the presence of hidden sectors on the source drive
The following behaviors were observed bull When the tool was executed using the fast error recovery mode and faulty sectors
were encountered some readable sectors near the faulty sectors were replaced by zeros in the created clone (test case DA-09-FAST) This is the intended tool behavior as specified by the tool vendor
bull In two cases DA-08-ATA28 (drive containing an HPA) and DA-08-DCO-ALT (drive containing a DCO) in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 the tool removed the HPA from the source and all sectors were acquired In case DA-08-DCO-ALT the tool did not remove the DCO from the source and hidden sectors were not acquired
bull The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using the ldquoDisk Utilitiesrdquo Remove DCO amp HPA menu option In cases DA-08-DCO and DA-08-DCO-ALT the Remove DCO amp HPA option was not exercised and sectors hidden by a DCO were not acquired In case DA-08-DCO-ALT-SATA the Remove DCO amp HPA option was exercised to remove the DCO and all sectors were successfully acquired
July 2011 3 of 53 Tableau TD1 Forensic Duplicator
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
2 Test Case Selection Test cases used to test disk imaging tools are defined in Digital Data Acquisition Tool Assertions and Test Plan Version 10 To test a tool test cases are selected from the Test Plan document based on the features offered by the tool Not all test cases or test assertions are appropriate for all tools There is a core set of base cases (DA-06 and DA-08) that are executed for every tool tested Tool features guide the selection of additional test cases If a given tool implements a given feature then the test cases linked to that feature are run Table 1 lists the features available in the TD1 Forensic Duplicator and the linked test cases selected for execution Table 2 lists the features not available in the TD1 Forensic Duplicator and the test cases not executed
Table 1 Selected Test Cases
Supported Optional Feature Cases Selected for Execution Create a clone during acquisition 01 Create a truncated clone from a physical device 04 Base cases 06 amp 08 Read error during acquisition 09 Create an image file in more than one format 10 Destination device switching 13
Table 2 Omitted Test Cases
Unsupported Optional Feature Cases Omitted (Not Executed) Create an unaligned clone from a digital source 02 Create cylinder aligned clones 03 15 21 amp 23 Device IO error generator available 05 11 amp 18 Create an image of a partition 07 Insufficient space for image file 12 Create a clone from an image file 14 amp 17 Create a clone from a subset of an image file 16 Fill excess sectors on a clone acquisition 19 Fill excess sectors on a clone device 20 21 22 amp 23 Detect a corrupted (or changed) image file 24 amp 25 Convert an image file from one format to another 26
Some test cases have variant forms to accommodate parameters within test assertions These variations cover the acquisition interface to the source drive and the way that sectors are hidden on a drive Additional parameters that were varied between test cases were interface to target device use of the verify hash setting error recovery mode and chunk (image file) size
The following source access interfaces were tested ATA28 ATA48 SATA28 SATA48 and ESATA These are noted as variations on test cases DA-01 DA-06 and DA-08
July 2011 4 of 53 Tableau TD1 Forensic Duplicator
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
For test case DA-09 the TD1 Forensic Duplicator offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some good sectors bull complete ndash reads all readable sectors
3 Results by Test Assertion A test assertion is a verifiable statement about a single condition after an action is performed by the tool under test A test case usually checks a group of assertions after the action of a single execution of the tool under test Test assertions are defined and linked to test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 Table 3 summarizes the test results for all the test cases by assertion The column labeled Assertions Tested gives the text of each assertion The column labeled Tests gives the number of test cases that use the given assertion The column labeled Anomaly gives the section number in this report where any observed anomalies are discussed
Table 3 Assertions Tested
Assertions Tested Tests Anomaly AM-01 The tool uses access interface SRC-AI to access the digital source
20
AM-02 The tool acquires digital source DS 20 AM-03 The tool executes in execution environment XE 20 AM-04 If clone creation is specified the tool creates a clone of the digital source
6
AM-05 If image file creation is specified the tool creates an image file on file system type FS
14
AM-06 All visible sectors are acquired from the digital source 20 31 AM-07 All hidden sectors are acquired from the digital source 5 32 AM-08 All sectors acquired from the digital source are acquired accurately
20
AM-09 If unresolved errors occur while reading from the selected digital source the tool notifies the user of the error type and location within the digital source
2
AM-10 If unresolved errors occur while reading from the selected digital source the tool uses a benign fill in the destination object in place of the inaccessible data
2
AO-01 If the tool creates an image file the data represented by the image file is the same as the data acquired by the tool
14
AO-02 If an image file format is specified the tool creates an image file in the specified format
1
AO-04 If the tool is creating an image file and there is insufficient space on the image destination device to contain the image file the tool shall notify the user
1
AO-05 If the tool creates a multi-file image of a requested size then all the individual files shall be no larger than the requested size
14
July 2011 5 of 53 Tableau TD1 Forensic Duplicator
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Assertions Tested Tests Anomaly AO-10 If there is insufficient space to contain all files of a multi-file image and if destination device switching is supported the image is continued on another device
1
AO-11 If requested a clone is created during an acquisition of a digital source
6
AO-13 A clone is created using access interface DST-AI to write to the clone device
6
AO-14 If an unaligned clone is created each sector written to the clone is accurately written to the same disk address on the clone that the sector occupied on the digital source
6
AO-17 If requested any excess sectors on a clone destination device are not modified
4
AO-19 If there is insufficient space to create a complete clone a truncated clone is created using all available sectors of the clone device
1
AO-20 If a truncated clone is created the tool notifies the user 1 AO-23 If the tool logs any log significant information the information is accurately recorded in the log file
20 33
AO-24 If the tool executes in a forensically safe execution environment the digital source is unchanged by the acquisition process
20
Two test assertions only apply in special circumstances The assertion AO-22 is checked only for tools that create block hashes The assertion AO-24 is only checked if the tool is executed in a run time environment that does not modify attached storage devices such as MS DOS In normal operation an imaging tool is used in conjunction with a write block device to protect the source drive however a blocker was not used during the tests so that assertion AO-24 could be checked Table 4 lists the assertions that were not tested usually due to the tool not supporting some optional feature eg creation of cylinder aligned clones
Table 4 Assertions Not Tested
Assertions Not Tested AO-03 If there is an error while writing the image file the tool notifies the user AO-06 If the tool performs an image file integrity check on an image file that has not been changed since the file was created the tool shall notify the user that the image file has not been changed AO-07 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user that the image file has been changed AO-08 If the tool performs an image file integrity check on an image file that has been changed since the file was created the tool shall notify the user of the affected locations AO-09 If the tool converts a source image file from one format to a target image file in another format the acquired data represented in the target image file is the same as the
July 2011 6 of 53 Tableau TD1 Forensic Duplicator
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Assertions Not Tested acquired data in the source image file AO-12 If requested a clone is created from an image file AO-15 If an aligned clone is created each sector within a contiguous span of sectors from the source is accurately written to the same disk address on the clone device relative to the start of the span as the sector occupied on the original digital source A span of sectors is defined to be either a mountable partition or a contiguous sequence of sectors not part of a mountable partition Extended partitions which may contain both mountable partitions and unallocated sectors are not mountable partitions AO-16 If a subset of an image or acquisition is specified all the subset is cloned AO-18 If requested a benign fill is written to excess sectors of a clone AO-21 If there is a write error during clone creation the tool notifies the user AO-22 If requested the tool calculates block hashes for a specified block size during an acquisition for each block acquired from the digital source
31 Acquisition of Faulty Sectors The Tableau TD1 Forensic Duplicator (firmware version 234 Feb 17 2011) offers two error recovery modes for treating faulty sectors encountered on source media
bull fast ndash may skip some readable sectors near faulty sectors bull complete ndash reads all readable sectors
For test case DA-09-FAST the fast error recovery mode was specified and readable sectors in the same 128-sector imaging block as faulty sectors were skipped and replaced by zeros in the created clone For test case DA-09-COMPLETE the complete error recovery mode was specified and all readable sectors were acquired This is the behavior intended for the tool by the tool vendor
32 DCO Hidden Sector Tests The tool does not automatically remove DCOs from source drives but is designed to alert the user when a DCO exists A user may cancel the duplication process and manually remove the DCO using a Disk Utilities option In cases DA-08-DCO and DA-08-DCO-ALT the Disk Utilities option was not exercised and sectors hidden by a DCO were not acquired in case DA-08-DCO-ALT-SATA the Disk Utilities option was exercised to remove the DCO and all sectors were successfully acquired
33 Bogus Error Messages The tool is designed to warn the user prior to the start of an acquisition when a source drive contains hidden sectors (ie an HPA or DCO) In two cases DA-08-ATA28 and DA-08-DCO-ALT in place of alerting the user of hidden sectors on the source drive the tool issued bogus alerts stating that the ldquoSource disk may be blankrdquo In case DA-08-ATA28 a source drive containing an HPA was imaged The tool automatically removed the HPA and acquired all visible and hidden sectors In case DA-08-DCO-ALT a source
July 2011 7 of 53 Tableau TD1 Forensic Duplicator
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
drive containing a DCO was imaged In this case visible sectors were acquired but sectors hidden by a DCO were not
4 Testing Environment The tests were run in the NIST CFTT lab This section describes using the support software and notes on test hardware
41 Support Software A package of programs to support test analysis FS-TST Release 20 was used The software can be obtained from httpwwwcfttnistgovdiskimagingfs-tst20zip
42 Test Drive Creation There are three ways that a hard drive may be used in a tool test case as a source drive that is imaged by the tool as a media drive that contains image files created by the tool under test or as a destination drive on which the tool under test creates a clone of the source drive In addition to the operating system drive formatting tools some tools (diskwipe and diskhash) from the FS-TST package are used to set up test drives
To set up a media drive the drive is formatted with one of the supported file systems A media drive may be used in several test cases
The setup of most source drives follows the same general procedure but there are several steps that may be varied depending on the needs of the test case
1 The drive is filled with known data by the diskwipe program from FS-TST The diskwipe program writes the sector address to each sector in both CHS and LBA format The remainder of the sector bytes is set to a constant fill value unique for each drive The fill value is noted in the diskwipe tool log file
2 The drive may be formatted with partitions as required for the test case 3 An operating system may optionally be installed 4 A set of reference hashes is created by the FS-TST diskhash tool These include
both SHA1 and MD5 hashes In addition to full drive hashes hashes of each partition may also be computed
5 If the drive is intended for hidden area tests (DA-08) an HPA a DCO or both may be created The diskhash tool is then used to calculate reference hashes of just the visible sectors of the drive
The source drives for DA-09 are created such that there is a consistent set of faulty sectors on the drive Each of these source drives is initialized with diskwipe and then their faulty sectors are activated For each of these source drives a second drive of the same size with the same content as the faulty sector drive but with no faulty sectors serves as a reference drive for images made from the faulty drive
To set up a destination drive the drive is filled with known data by the diskwipe program from FS-TST Partitions may be created if the test case involves restoring from the image of a logical acquire
July 2011 8 of 53 Tableau TD1 Forensic Duplicator
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
43 Test Drive Analysis For test cases that create a clone of a physical device (eg DA-01 DA-04) the destination drive is compared to the source drive with the diskcmp program from the FS-TST package For test cases that create a clone of a logical device (ie a partition eg DA-02 DA-20) the destination partition is compared to the source partition with the partcmp program For a destination created from an image file (eg DA-14) the destination is compared using either diskcmp (for physical device clones) or partcmp (for partition clones) to the source that was acquired to create the image file Both diskcmp and partcmp note differences between the source and destination If the destination is larger than the source it is scanned and the excess destination sectors are categorized as either undisturbed (still containing the fill pattern written by diskwipe) zero filled or changed to something else
For test case DA-09 imaging a drive with known faulty sectors the program anabad is used to compare the faulty sector reference drive to a cloned version of the faulty sector drive
For test cases such as DA-06 and DA-07 any acquisition hash computed by the tool under test is compared to the reference hash of the source to check that the source is completely and accurately acquired
44 Note on Test Drives The testing uses several test drives from a variety of vendors The drives are identified by an external label that consists of a 2-digit hexadecimal value and an optional tag (eg 25-SATA) The combination of hex value and tag serves as a unique identifier for each drive The 2-digit hex value is used by the FS-TST diskwipe program as a sector fill value The FS-TST compare tools diskcmp and partcmp count sectors that are filled with the source and destination fill values on a destination that is larger than the original source
5 Test Results The main item of interest for interpreting the test results is determining the conformance of the device with the test assertions Conformance with each assertion tested by a given test case is evaluated by examining the Log Highlights box of the test case details
51 Test Results Report Key A summary of the actual test results is presented in this report The following table presents a description of each section of the test report summary The Tester Name Test Host Test Date Drives Source Setup and Log Highlights sections for each test case are populated by excerpts taken from the log files produced by the tool under test and the FS-TST tools that were executed in support of test case setup and analysis
Heading Description First Line Test case ID name and version of tool tested Case Summary Test case summary from Digital Data Acquisition Tool
Assertions and Test Plan Version 10
July 2011 9 of 53 Tableau TD1 Forensic Duplicator
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Heading Description Assertions The test assertions applicable to the test case selected from
Digital Data Acquisition Tool Assertions and Test Plan Version 10
Tester Name Name or initials of person executing test procedure Test Host Host computer executing the test Test Date Time and date that test was started Drives Source drive (the drive acquired) destination drive (if a
clone is created) and media drive (to contain a created image)
Source Setup Layout of partitions on the source drive and the expected hash of the drive
Log Highlights Information extracted from various log files to illustrate conformance or nonconformance to the test assertions
Results Expected and actual results for each assertion tested Analysis Whether or not the expected results were achieved
52 Test Details
521 DA-01-ATA28 Test Case DA-01-ATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 104849 2011 Drives src(01-IDE) dst (58-IDE) other (none)Source src hash (SHA1) lt A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 gtSetup src hash (MD5) lt F458F673894753FA6A0EC8B8EC63848E gt
78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0 ) serial ( WD-WMAMC74171)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057175335 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12
July 2011 10 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-01-ATA28 Tableau TD1 Version 234 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027744255 102300001 102325463 05 extended 15 S 000000063 027744192 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry
LogHighlights
====== Destination drive setup ======117231408 sectors wiped with 58
====== Comparison of original to clone drive ======Sectors compared 78165360Sectors match 78165360 Sectors differ 0 Bytes differ 0 Diffs rangeSource (78165360) has 39066048 fewer sectors than destination (117231408)Zero fill 0 Src Byte fill (01) 0 Dst Byte fill (58) 39066048Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 78165360-117231407 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA28 of sectors acquired 78165360 (400 GB)Source hash SHA1 a48bb5665d6dc57c22db68e2f723da9aa8df82b9 MD5 f458f673894753fa6a0ec8b8ec63848e
====== Source drive rehash ====== Rehash (SHA1) of source A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expected
July 2011 11 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-01-ATA28 Tableau TD1 Version 234 AO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 12 of 53 Tableau TD1 Forensic Duplicator
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
522 DA-01-ATA48 Test Case DA-01-ATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 115123 2011 Drives src(4C) dst (46-SATA) other (none)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 390700737 sectors 200038777344 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 46
====== Comparison of original to clone drive ======Sectors compared 390721968Sectors match 390721968 Sectors differ 0 Bytes differ 0 Diffs rangeSource (390721968) has 97675200 fewer sectors than destination (488397168)Zero fill 0 Src Byte fill (4C) 0 Dst Byte fill (46) 97675200Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 390721968-488397167 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======
July 2011 13 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-01-ATA48 Tableau TD1 Version 234 dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ATA48 of sectors acquired 390721968 (2000 GB)Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 14 of 53 Tableau TD1 Forensic Duplicator
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
523 DA-01-ESATA Test Case DA-01-ESATA Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 101420 2011 Drives src(07-SATA) dst (26-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======312581808 sectors wiped with 26
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 156280320 fewer sectors than destination (312581808)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (26) 156280320Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-312581807 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 15 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-01-ESATA Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-ESATA of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 16 of 53 Tableau TD1 Forensic Duplicator
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
524 DA-01-SATA28 Test Case DA-01-SATA28 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device are notmodified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Mon Mar 21 135227 2011 Drives src(07-SATA) dst (22-IDE) other (none)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 156280257 sectors 80015491584 bytes
LogHighlights
====== Destination drive setup ======195813072 sectors wiped with 22
====== Comparison of original to clone drive ======Sectors compared 156301488Sectors match 156301488 Sectors differ 0 Bytes differ 0 Diffs rangeSource (156301488) has 39511584 fewer sectors than destination (195813072)Zero fill 0 Src Byte fill (07) 0 Dst Byte fill (22) 39511584Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 156301488-195813071 Other fill rangeOther not filled range0 source read errors 0 destination read errors
July 2011 17 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-01-SATA28 Tableau TD1 Version 234 ====== Tool Settings ======dst-interface ATA28 verify-hash on
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA28 of sectors acquired 156301488 (800 GB)Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 18 of 53 Tableau TD1 Forensic Duplicator
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
525 DA-01-SATA48 Test Case DA-01-SATA48 Tableau TD1 Version 234 Case Summary
DA-01 Acquire a physical device using access interface AI to an unalignedclone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to theclone device AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-17 If requested any excess sectors on a clone destination device arenot modified AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 21 132233 2011 Drives src(0D-SATA) dst (44-SATA) other (none)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 488375937 sectors 250048479744 bytes
LogHighlights
====== Destination drive setup ======488397168 sectors wiped with 44
====== Comparison of original to clone drive ======Sectors compared 488397168Sectors match 488397168 Sectors differ 0 Bytes differ 0 Diffs range0 source read errors 0 destination read errors
====== Tool Settings ======dst-interface SATA48 verify-hash off
======== Excerpt from Log file ========Task Disk to Disk Case DA-01-SATA48 of sectors acquired 488397168 (2500 GB)Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 19 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-01-SATA48 Tableau TD1 Version 234
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-17 Excess sectors are unchanged as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 20 of 53 Tableau TD1 Forensic Duplicator
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
526 DA-04 Test Case DA-04 Tableau TD1 Version 234 Case Summary
DA-04 Acquire a physical device to a truncated clone
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-04 If clone creation is specified the tool creates a clone of thedigital sourceAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-11 If requested a clone is created during an acquisition of a digitalsource AO-13 A clone is created using access interface DST-AI to write to the clonedevice AO-14 If an unaligned clone is created each sector written to the clone isaccurately written to the same disk address on the clone that the sectoroccupied on the digital sourceAO-19 If there is insufficient space to create a complete clone a truncatedclone is created using all available sectors of the clone deviceAO-20 If a truncated clone is created the tool notifies the userAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 103604 2011 Drives src(41) dst (90) other (none)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 078107967 sectors 39991279104 bytes
LogHighlights
====== Destination drive setup ======58633344 sectors wiped with 90====== Tool Message ======ALERT Destination disk is too small
====== Tool Settings ======dst-interface ATA28 verify-hash off
======== Excerpt from Log file ========No logfile created======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results
July 2011 21 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-04 Tableau TD1 Version 234 Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-04 A clone is created as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-11 A clone is created during acquisition as expectedAO-13 Clone created using interface AI as expectedAO-14 An unaligned clone is created as expectedAO-19 Truncated clone is created as expectedAO-20 User notified that clone is truncated as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 22 of 53 Tableau TD1 Forensic Duplicator
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
527 DA-06-ATA28 Test Case DA-06-ATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Tue Mar 22 105413 2011 Drives src(43) dst (none) other (78-SATA-SSD)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-06-ATA28 Tableau TD1 Version 234 29-09 00003 D2FLOG 2 -rwx------ 1 ubuntu root 699990016 2011-03-22 1129 IMAGE001 3 -rwx------ 1 ubuntu root 699990016 2011-03-22 1129 IMAGE002
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA28 of sectors acquired 78125000 (400 GB)Chunk size in sectors 1367168 (6999 MB)Chunks expected 58Chunks written 58 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 24 of 53 Tableau TD1 Forensic Duplicator
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
528 DA-06-ATA48 Test Case DA-06-ATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 152315 2011 Drives src(4C) dst (none) other (64-SATA)Source src hash (SHA1) lt 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF gtSetup src hash (MD5) lt D10F763B56D4CEBA2D1311C61F9FB382 gt
390721968 total sectors (200049647616 bytes)2432025463 (max cylhd values)2432125563 (number of cylhd)IDE disk Model (WDC WD2000JB-00KFA0) serial (WD-WMAMR1031111)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 390700737 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ATA48 of sectors acquired 390721968 (2000 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 51Chunks written 51 Source hash SHA1 8ff620d2bedccafe8412edaad56c8554f872efbf MD5 d10f763b56d4ceba2d1311c61f9fb382
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 25 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-06-ATA48 Tableau TD1 Version 234 Rehash (SHA1) of source 8FF620D2BEDCCAFE8412EDAAD56C8554F872EFBF
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 26 of 53 Tableau TD1 Forensic Duplicator
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
529 DA-06-ESATA Test Case DA-06-ESATA Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 091457 2011 Drives src(07-SATA) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-ESATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
July 2011 27 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-06-ESATA Tableau TD1 Version 234 ====== Source drive rehash ====== Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 28 of 53 Tableau TD1 Forensic Duplicator
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5210 DA-06-SATA28 Test Case DA-06-SATA28 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host McGarrett Test Date Fri Mar 25 085858 2011 Drives src(07-SATA) dst (none) other (58-SATA)Source src hash (SHA256) ltSetup CE65C4A3C3164D3EBAD58D33BB2415D29E260E1F88DC5A131B1C4C9C2945B8A9 gt
src hash (SHA1) lt 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E gtsrc hash (MD5) lt 2EAF712DAD80F66E30DEA00365B4579B gt156301488 total sectors (80026361856 bytes)Model (WDC WD800JD-32HK) serial (WD-WMAJ91510044)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 156280257 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA28 of sectors acquired 156301488 (800 GB)Chunk size in sectors 1953088 (9999 MB)Chunks expected 81Chunks written 81 Source hash SHA1 655e9bddb36a3f9c5c4cc8bf32b8c5b41af9f52e MD5 2eaf712dad80f66e30dea00365b4579b
======== End of Excerpt from Log file ========
====== Source drive rehash ======
July 2011 29 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-06-SATA28 Tableau TD1 Version 234 Rehash (SHA1) of source 655E9BDDB36A3F9C5C4CC8BF32B8C5B41AF9F52E
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 30 of 53 Tableau TD1 Forensic Duplicator
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5211 DA-06-SATA48 Test Case DA-06-SATA48 Tableau TD1 Version 234 Case Summary
DA-06 Acquire a physical device using access interface AI to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Tue Mar 22 155937 2011 Drives src(0D-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt BAAD80E8781E55F2E3EF528CA73BD41D228C1377 gtSetup src hash (MD5) lt 1FA7C3CBE60EB9E89863DED2411E40C9 gt
488397168 total sectors (250059350016 bytes)3040025463 (max cylhd values)3040125563 (number of cylhd)Model (WDC WD2500JD-22F) serial (WD-WMAEH2678216)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 488375937 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
======== Excerpt from Log file ========Task Disk to File Case DA-06-SATA48 of sectors acquired 488397168 (2500 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 63Chunks written 63 Source hash SHA1 baad80e8781e55f2e3ef528ca73bd41d228c1377 MD5 1fa7c3cbe60eb9e89863ded2411e40c9
July 2011 31 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-06-SATA48 Tableau TD1 Version 234 ======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source BAAD80E8781E55F2E3EF528CA73BD41D228C1377
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 32 of 53 Tableau TD1 Forensic Duplicator
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5212 DA-08-ATA28 Test Case DA-08-ATA28 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 125053 2011 Drives src(42) dst (none) other (39-SATA)Source src hash (SHA1) lt 5A75399023056E0EB905082B35F8FAA1DB049229 gtSetup src hash (MD5) lt F4B9AAB24554EEEB2A962BDA554A9252 gt
78165360 total sectors (40020664320 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400JB-00JJC0) serial (WD-WCAMA3958512)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 070348572 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 070348572 sectors 36018468864 bytes
HPA created BIOS XBIOS and Direct disk geometry Reporter (BXDR)BXDR 128 S70000000 P fbxdrlogtxtSetting Maximum Addressable Sector to 70000000MAS now set to 70000000
Hashes with HPA in placemd59BF3C3DEADE47056A1DDC073C5F6B2E2 sha1D76F909482B00767B62C295CADE202F92E61CD2E
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
July 2011 33 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-08-ATA28 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-08-ATA28 of sectors acquired 78165360 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11
Model WDC WD400JB-00JJC0 SN WD-WCAMA3958512Firmware Revision 0501C05 Capacity in sectors reported Pwr-ON 70000001 (358 GB)Capacity in sectors reported by HPA 78165360 (400 GB)Capacity in sectors reported by DCO 78165360 (400 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type IDESource hash SHA1 5a75399023056e0eb905082b35f8faa1db049229 MD5 f4b9aab24554eeeb2a962bda554a9252
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 5A75399023056E0EB905082B35F8FAA1DB049229
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 34 of 53 Tableau TD1 Forensic Duplicator
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5213 DA-08-DCO Test Case DA-08-DCO Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 143004 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO of sectors acquired 140000001 (716 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 18Chunks written 18
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 140000001 (716 GB)
July 2011 35 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-08-DCO Tableau TD1 Version 234 Capacity in sectors reported by HPA 140000001 (716 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type SATASource hash SHA1 ac64cf1b3736bb2fe40c14d871e6f207bc432c2f MD5 e5f8b277a39ed0f49794e9916cd62dd9
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 36 of 53 Tableau TD1 Forensic Duplicator
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5214 DA-08-DCO-ALT Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 150436 2011 Drives src(92) dst (none) other (39-SATA)Source src hash (SHA1) lt 63E6F7BD3040A8ADA2CF8FBF66A805B76DF10481 gtSetup src hash (MD5) lt E095DD1BD0B0DD6E603153A3FE1A2F3E gt
58633344 total sectors (30020272128 bytes)5816701563 (max cylhd values)5816801663 (number of cylhd)IDE disk Model (WDC WD300BB-00CAA0) serial (WD-WMA8H2140350)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 058605057 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
1 058605057 sectors 30005789184 bytes
Hashes with DCO in placemd5525963C6789423396FE1F3202A8CBD04 sha155A3CFE756B7B0034DCCE71F7D7A477D8681B781
LogHighlights
====== Tool Message ======ALERT Source disk may be blank
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT of sectors acquired 52770010 (270 GB)Chunk size in sectors 7812480 (39 GB)
July 2011 37 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-08-DCO-ALT Tableau TD1 Version 234 Chunks expected 7Chunks written 7
Model WDC WD300BB-00CAA0 SN WD-WMA8H2140350Firmware Revision 1606V16 Capacity in sectors reported Pwr-ON 52770010 (270 GB)Capacity in sectors reported by HPA 52770010 (270 GB)Capacity in sectors reported by DCO 58633344 (300 GB)HPA in use No DCO in use Yes ATA Security in use NoCableInterface type IDESource hash SHA1 55a3cfe756b7b0034dcce71f7d7a477d8681b781 MD5 525963c6789423396fe1f3202a8cbd04
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 55A3CFE756B7B0034DCCE71F7D7A477D8681B781
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired DCO not acquiredAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct bogus error messageAO-24 Source is unchanged by acquisition as expected
Analysis Expected results not achieved
July 2011 38 of 53 Tableau TD1 Forensic Duplicator
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5215 DA-08-DCO-ALT-SATA Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Mon Mar 28 092504 2011 Drives src(15-SATA) dst (none) other (39-SATA)Source src hash (SHA1) lt 76B22DDE84CE61F090791DDBB79057529AAF00E1 gtSetup src hash (MD5) lt 9B4A9D124107819A9CE6F253FE7DC675 gt
156301488 total sectors (80026361856 bytes)Model (0JD-00HKA0 ) serial (WD-WMAJ91513490)
DCO Created with Maximum LBA Sectors = 140000000Hashes with DCO in placemd5 E5F8B277A39ED0F49794E9916CD62DD9 sha1 AC64CF1B3736BB2FE40C14D871E6F207BC432C2F
LogHighlights
====== Tool Message ======ALERT Source disk DCO has not been removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-DCO-ALT-SATA of sectors acquired 156301488 (800 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 21Chunks written 21
Model WDC WD800JD-00HKA0 SN WD-WMAJ91513490Firmware Revision 1303G13 Capacity in sectors reported Pwr-ON 156301488 (800 GB)
July 2011 39 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-08-DCO-ALT-SATA Tableau TD1 Version 234 Capacity in sectors reported by HPA 156301488 (800 GB)Capacity in sectors reported by DCO 156301488 (800 GB)HPA in use No DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 76b22dde84ce61f090791ddbb79057529aaf00e1 MD5 9b4a9d124107819a9ce6f253fe7dc675
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 76B22DDE84CE61F090791DDBB79057529AAF00E1
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 40 of 53 Tableau TD1 Forensic Duplicator
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5216 DA-08-SATA48 Test Case DA-08-SATA48 Tableau TD1 Version 234 Case Summary
DA-08 Acquire a physical drive with hidden sectors to an image file
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-07 All hidden sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Thu Mar 24 131725 2011 Drives src(1E-SATA) dst (none) other (64-SATA)Source src hash (SHA1) lt 3E7439D9E99ACD030B969C1BE5B1430BF7183573 gtSetup src hash (MD5) lt 8E1CF5E20E86362E0EACF12EDDEF42A6 gt
625142448 total sectors (320072933376 bytes)3891225463 (max cylhd values)3891325563 (number of cylhd)Model (ST3320620AS ) serial ( 5QF3X4F6)
HPA created
HPA Created with Maximum LBA Sectors = 560000000Hashes with HPA in placemd5 3655FA5086B6864154898533DFAE2442 sha1 EB1045B57DE7CDA28FE9504E3FA238D0B5DBC587
LogHighlights
====== Tool Message ======ALERT Source disk HPA has been auto removed
======== Excerpt from Log file ========Task Disk to File Case DA-08-SATA48 of sectors acquired 625142448 (3200 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 81Chunks written 81
July 2011 41 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-08-SATA48 Tableau TD1 Version 234 Model ST3320620AS SN 5QF3X4F6Firmware Revision 3AAK Capacity in sectors reported Pwr-ON 560000001 (2867 GB)Capacity in sectors reported by HPA 625142448 (3200 GB)Capacity in sectors reported by DCO 625142448 (3200 GB)HPA in use Yes DCO in use No ATA Security in use NoCableInterface type SATASource hash SHA1 3e7439d9e99acd030b969c1be5b1430bf7183573 MD5 8e1cf5e20e86362e0eacf12eddef42a6
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 3E7439D9E99ACD030B969C1BE5B1430BF7183573
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-07 All hidden sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 42 of 53 Tableau TD1 Forensic Duplicator
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5217 DA-09-COMPLETE Test Case DA-09-COMPLETE Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location within thedigital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Fri Mar 25 103234 2011 Drives src(ED-BAD-CPR4) dst (none) other (78-SATA-SSD)Source No before hash for ED-BAD-CPR4 Setup
Known Bad Sector List for ED-BAD-CPR4
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y23EGSJE Capacity 60GBInterface SATA
====== Destination drive setup ======125045424 sectors wiped with 78
====== Comparison of original to clone drive ======Sectors compared 120103200Sectors match 120103165 Sectors differ 35 Bytes differ 17885 Diffs range 6160328 6160362 10041157 10041995 1011863410209448 11256569 14115689 14778391-14778392 1477844914778479 14778517-14778521 14778551 14778607 14778626-1477862714778650 14778668-14778669 14778709 14778727 1477874714778772 14778781 14778870 14778949 14778953 1477903814779113 14779321Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0
July 2011 43 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-09-COMPLETE Tableau TD1 Version 234 Dst Byte fill (78) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results achieved
July 2011 44 of 53 Tableau TD1 Forensic Duplicator
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5218 DA-09-FAST Test Case DA-09-FAST Tableau TD1 Version 234 Case Summary
DA-09 Acquire a digital source that has at least one faulty data sector
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image fileon file system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAM-09 If unresolved errors occur while reading from the selected digitalsource the tool notifies the user of the error type and location withinthe digital sourceAM-10 If unresolved errors occur while reading from the selected digitalsource the tool uses a benign fill in the destination object in place ofthe inaccessible data AO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environmentthe digital source is unchanged by the acquisition process
Tester Name brl Test Host TD1 Test Date Fri Mar 25 092538 2011 Drives src(ED-BAD-CPR3) dst (79-SATA-SSD) other (none)Source No before hash for ED-BAD-CPR3 Setup
Known Bad Sector List for ED-CPR-BAD-3
Manufacturer Maxtor Model DiamondMax Plus 9 Serial Number Y239EQSECapacity 60GBInterface PATA
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-09-FAST Tableau TD1 Version 234 74452096-74452159 74454144-74454207 74454784-7445484774457600-74457663 74713728-74713791 74870272-7487033577873600-77873663 79803968-79804031 81355264-8135532783602304-83602367 83724800-83724863 83727552-8372761583728128-83728191 85378496-85378559 85668096-8566815985670656-85670719 86204736-86204799 86205376-8620543986246080-86246143 86247936-86247999 86714176-8671423986714816-86714879 87223872-87223935 87225664-8722572787266624-87266687 87573184-87573247 88893504-8889356789003072-89003135 89640832-89640895 90666368-9066643191745408-91745471 92792320-92792383 93141120-9314118393142848-93142911 93143424-93143487 93145920-9314598393146496-93146559 93726720-93726783 94384896-9438495994386688-94386751 96059904-96059967 97632192-9763225597788672-97788735 98668672-98668735 101185024-101185087101543104-101543167 102185856-102185919 102186368-102186431102906944-102907007 103050496-103050559 103051712-103051775103053376-103053439 103053952-103054015 103056256-103056319103056832-103056895 103682368-103682431 103781888-103781951103783168-103783231 103784768-103784831 103836480-103836543104514048-104514111 104516416-104516479 104516928-104516991104985728-104985791 105053888-105053951 105122176-105122239105561152-105561215 106184000-106184063 106844032-106844095107791424-107791487 108072192-108072255 108074368-108074431108074880-108074943 108077056-108077119 108077568-108077631108127680-108127743 108129856-108129919 109183360-109183423110705536-110705599 110706112-110706175 110708224-110708287110708800-110708863 110710912-110711039 110779840-110779903110780352-110780415 111232384-111232447 111234368-111234431111812544-111812607 111813952-111814015 112514176-112514239113839680-113839743 114291136-114291199 114291648-114291711114293696-114293759 114776000-114776063 114776512-114776575114777920-114777983 115004544-115004607 115005056-115005119115007104-115007167 115379968-115380031 115722880-115722943115723328-115723391 115903680-115903743 115930240-115930303115930688-115930751 118133568-118133631 118309632-118309695118311552-118311615 119468992-119469055 119469504-119469567119471360-119471423 119717824-119717887Source (120103200) has 4942224 fewer sectors than destination (125045424)Zero fill 0 Src Byte fill (ED) 0 Dst Byte fill (79) 4942224 Other fill 0 Other no fill 0 Zero fill rangeSrc fill rangeDst fill range 120103200-125045423 Other fill rangeOther not filled range0 source read errors 0 destination read errors
====== Tool Settings ======error-recovery fast
======== Excerpt from Log file ========Task Disk to Disk Case DA-09_FAST of sectors acquired 120103200 (614 GB)Total errors 325 Errors recorded 127 ltltWARNING ERROR LIST TRUNCATEDgtgt -------------------------List of errors-------------------------Error 1 Read error (source) address=67392 length=64Error 2 Read error (source) address=68160 length=64Error 3 Read error (source) address=688128 length=64Error 4 Read error (source) address=1768960 length=64
July 2011 48 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-09-FAST Tableau TD1 Version 234 Error 125 Read error (source) address=47321152 length=64Error 126 Read error (source) address=47323264 length=64Error 127 Read error (source) address=47323328 length=64ltltWARNING ERROR LIST TRUNCATEDgtgt ======== End of Excerpt from Log file ========
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired some sectors skippedAM-08 All sectors accurately acquired as expectedAM-09 Error logged as expectedAM-10 Benign fill replaces inaccessible sectors as expectedAO-01 Image file is complete and accurate as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition not checked
Analysis Expected results not achieved
July 2011 49 of 53 Tableau TD1 Forensic Duplicator
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5219 DA-10-E01 Test Case DA-10-E01 Tableau TD1 Version 234 Case Summary
DA-10 Acquire a digital source to an image file in an alternate format
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-02 If an image file format is specified the tool creates an image filein the specified formatAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 132929 2011 Drives src(43) dst (none) other (64-SATA)Source src hash (SHA256) ltSetup 2658F47603DE6B1D883B64823E9733F578658D08D06A4BB8C053C4F57BDC615E gt
src hash (SHA1) lt 888E2E7F7AD237DC7A732281DD93F325065E5871 gtsrc hash (MD5) lt BC39C3F7EE7A50E77B9BA1E65A5AEEF7 gt78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0 ) serial ( WD-WMAMC46588)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 020980827 000000101 102325463 0C Fat32X 2 X 020980890 057143205 102300001 102325463 0F extended 3 S 000000063 000032067 102300101 102325463 01 Fat12 4 x 000032130 002104515 102300001 102325463 05 extended 5 S 000000063 002104452 102300101 102325463 06 Fat16 6 x 002136645 004192965 102300001 102325463 05 extended 7 S 000000063 004192902 102300101 102325463 16 other 8 x 006329610 008401995 102300001 102325463 05 extended 9 S 000000063 008401932 102300101 102325463 0B Fat32
10 x 014731605 010490445 102300001 102325463 05 extended 11 S 000000063 010490382 102300101 102325463 83 Linux 12 x 025222050 004209030 102300001 102325463 05 extended 13 S 000000063 004208967 102300101 102325463 82 Linux swap14 x 029431080 027712125 102300001 102325463 05 extended 15 S 000000063 027712062 102300101 102325463 07 NTFS 16 S 000000000 000000000 000000000 000000000 00 empty entry17 P 000000000 000000000 000000000 000000000 00 empty entry18 P 000000000 000000000 000000000 000000000 00 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytes
LogHighlights ====== Tool Settings ======
verify-hash off
July 2011 50 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-10-E01 Tableau TD1 Version 234 ====== Image file segments ======
======== Excerpt from Log file ========Task Disk to File Case DA-10-E01 of sectors acquired 78125000 (400 GB)Chunk size in sectors 4194304 (21 GB)Chunks expected 19Chunks written 2 Source hash SHA1 888e2e7f7ad237dc7a732281dd93f325065e5871 MD5 bc39c3f7ee7a50e77b9ba1e65a5aeef7
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 888E2E7F7AD237DC7A732281DD93F325065E5871
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-02 Image file in specified format as expectedAO-05 Multifile image created as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 51 of 53 Tableau TD1 Forensic Duplicator
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
5220 DA-13 Test Case DA-13 Tableau TD1 Version 234 Case Summary
DA-13 Create an image file where there is insufficient space on a singlevolume and use destination device switching to continue on another volume
Assertions AM-01 The tool uses access interface SRC-AI to access the digital sourceAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE AM-05 If image file creation is specified the tool creates an image file onfile system type FSAM-06 All visible sectors are acquired from the digital sourceAM-08 All sectors acquired from the digital source are acquired accuratelyAO-01 If the tool creates an image file the data represented by the imagefile is the same as the data acquired by the toolAO-04 If the tool is creating an image file and there is insufficient spaceon the image destination device to contain the image file the tool shallnotify the userAO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage and if destination device switching is supported the image iscontinued on another device AO-22 If requested the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital sourceAO-23 If the tool logs any log significant information the information isaccurately recorded in the log fileAO-24 If the tool executes in a forensically safe execution environment thedigital source is unchanged by the acquisition process
Tester Name
brl
Test Host TD1 Test Date Wed Mar 23 100605 2011 Drives src(41) dst (39-SATA) other (90)Source src hash (SHA256) ltSetup FBF3AA21489653D880FFAE71449A9F7E8EE4F56A6C3BF58A3A3FFB13203F1B1D gt
src hash (SHA1) lt 15CAA1A307271160D8372668BF8A03FC45A51CC9 gtsrc hash (MD5) lt 0A6A8EF78BDC14E2026710D8CCB5607C gt78125000 total sectors (40000000000 bytes)6553401563 (max cylhd values)6553501663 (number of cylhd)IDE disk Model (WDC WD400BB-75JHC0) serial (WD-WMAMC4658355)N Start LBA Length Start CHS End CHS boot Partition type1 P 000000063 078107967 000000101 102325463 Boot 07 NTFS2 P 000000000 000000000 000000000 000000000 00 empty entry3 P 000000000 000000000 000000000 000000000 00 empty entry4 P 000000000 000000000 000000000 000000000 00 empty entry
July 2011 52 of 53 Tableau TD1 Forensic Duplicator
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
Test Case DA-13 Tableau TD1 Version 234
======== Excerpt from Log file ========Task Disk to File Case DA-13 of sectors acquired 78125000 (400 GB)Chunk size in sectors 7812480 (39 GB)Chunks expected 11Chunks written 11 Source hash SHA1 15caa1a307271160d8372668bf8a03fc45a51cc9 MD5 0a6a8ef78bdc14e2026710d8ccb5607c
======== End of Excerpt from Log file ========
====== Source drive rehash ====== Rehash (SHA1) of source 15CAA1A307271160D8372668BF8A03FC45A51CC9
Results Assertion amp Expected Result Actual Result AM-01 Source acquired using interface AI as expectedAM-02 Source is type DS as expectedAM-03 Execution environment is XE as expectedAM-05 An image is created on file system type FS as expectedAM-06 All visible sectors acquired as expectedAM-08 All sectors accurately acquired as expectedAO-01 Image file is complete and accurate as expectedAO-04 User notified if space exhausted as expectedAO-05 Multifile image created as expectedAO-10 Image file continued on new device as expectedAO-22 Tool calculates hashes by block option not availableAO-23 Logged information is correct as expectedAO-24 Source is unchanged by acquisition as expected
Analysis Expected results achieved
July 2011 53 of 53 Tableau TD1 Forensic Duplicator
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov
tableau_td1_nij 72811_KE edit 1024pdf
Introduction
How to Read This Report
1 Results Summary
2 Test Case Selection
3 Results by Test Assertion
31 Acquisition of Faulty Sectors
32 DCO Hidden Sector Tests
33 Bogus Error Messages
4 Testing Environment
41 Support Software
42 Test Drive Creation
43 Test Drive Analysis
44 Note on Test Drives
5 Test Results
51 Test Results Report Key
52 Test Details
521 DA-01-ATA28
522 DA-01-ATA48
523 DA-01-ESATA
524 DA-01-SATA28
525 DA-01-SATA48
526 DA-04
527 DA-06-ATA28
528 DA-06-ATA48
529 DA-06-ESATA
5210 DA-06-SATA28
5211 DA-06-SATA48
5212 DA-08-ATA28
5213 DA-08-DCO
5214 DA-08-DCO-ALT
5215 DA-08-DCO-ALT-SATA
5216 DA-08-SATA48
5217 DA-09-COMPLETE
5218 DA-09-FAST
5219 DA-10-E01
5220 DA-13
About the National Institute of Justice A component of the Office of Justice Programs NIJ is the research development and evalua-tion agency of the US Department of Justice NIJrsquos mission is to advance scientific research development and evaluation to enhance the administration of justice and public safety NIJrsquos principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968 as amended (see 42 USC sectsect 3721ndash3723)
The NIJ Director is appointed by the President and confirmed by the Senate The Director estab-lishes the Institutersquos objectives guided by the priorities of the Office of Justice Programs the US Department of Justice and the needs of the field The Institute actively solicits the views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice
Strategic Goals NIJ has seven strategic goals grouped into three categories
Creating relevant knowledge and tools
1 Partner with state and local practitioners and policymakers to identify social science research and technology needs
2 Create scientific relevant and reliable knowledgemdashwith a particular emphasis on terrorism violent crime drugs and crime cost-effectiveness and community-based effortsmdashto enhance the administration of justice and public safety
3 Develop affordable and effective tools and technologies to enhance the administration of justice and public safety
Dissemination
4 Disseminate relevant knowledge and information to practitioners and policymakers in an understandable timely and concise manner
5 Act as an honest broker to identify the information tools and technologies that respond to the needs of stakeholders
Agency management
6 Practice fairness and openness in the research and development process
7 Ensure professionalism excellence accountability cost-effectiveness and integrity in the man-agement and conduct of NIJ activities and programs
Program Areas In addressing these strategic challenges the Institute is involved in the following program areas crime control and prevention including policing drugs and crime justice systems and offender behavior including corrections violence and victimization communications and infor-mation technologies critical incident response investigative and forensic sciences including DNA less-than-lethal technologies officer protection education and training technologies test-ing and standards technology assistance to law enforcement and corrections agencies field testing of promising programs and international crime control
In addition to sponsoring research and development and technology assistance NIJ evaluates programs policies and technologies NIJ communicates its research and evaluation findings through conferences and print and electronic media
To find out more about the National Institute of Justice please visit
wwwnijgov
or contact
National Criminal Justice Reference Service
PO Box 6000 Rockville MD 20849ndash6000 800ndash851ndash3420 httpwwwncjrsgov